Cybersecurity Lessons Learned in 2014

Large-scale attacks and a widening threat landscape prompted enterprises to rethink their approach to network security.

Data breaches and other security lapses seemed to be the order of the day in 2014. Rarely did a week go by that didn’t bring with it reports of a new exposure. Retailers, healthcare organizations, financial institutions—no sector was immune. From the Heartbleed vulnerability to the hacking of eBay’s user database to the succession of brick-and-mortar stores that experienced breaches in their point-of-sale systems, the dangers to network security have evolved tremendously and emerged alarmingly over the past 12 months. But so have the tools enterprises are using to combat hackers. We talked with industry experts to find out what the threats were, what security vendors are doing to stay a step ahead, and where that leaves administrators.

Cybersecurity challenges in 2014

Scott Gainey, vice president of marketing, industry and programs at Palo Alto Networks, said the threat vectors may not have changed drastically in 2014, but the year did see a significant increase in the sheer volume of malware. Palo Alto Networks utilizes a sandbox-type technology that is able to track malicious content, and comparing pre-2014 figures to the last few months is startling. “Today we’re seeing about 31,000 new forms of malware each day, about a 50 percent increase from just 3 months ago,” Gainey explained. “Our average daily trend is growing pretty extensively.” In addition, he notes the volume of unknown forms of malware—those with no signature attached—is also on the rise.

That malware trend dovetails with the rash of point-of-sale breaches that were a staple of 2014. Their emergence as a serious, widespread threat is no accident. The growth of POS malware in many ways represents a shift in how cyber criminals prefer to do business. “Attackers are still after the same things—credit card numbers—but instead of coming after us at the local machines and stealing credit cards directly from us, more are going after where everyone is in one place,” explained Dan Holden, director of ASERT (Arbor’s Security Engineering and Response Team) at Arbor Networks. He said the focus has moved from going after individuals to going after the middleman. It’s a change that has led to information security lapses far broader in scope than the typical POS breach of just a few years ago.

One pattern from 2014 in particular stands out to Craig D'Abreo, vice president of security operations at Masergy, and that’s the continuing use of silos within many organizations. Even with significant investments in security technology, vulnerability scanning and other tools, he said, “The problem is, a lot of these systems don’t talk to each other.” It’s an approach that undermines the numerous security layers enterprises develop. “We saw different products that bring up good alerts, but there’s no interaction between different pieces of security infrastructure,” D’Abreo explained. Target’s breach and other exposures bear this out, as investigations time and again reveal the presence of red flags that didn’t trigger the proper alert in other parts of the security infrastructure. And the human silos within organizations must likewise improve cybersecurity collaboration.

Among the factors working against enterprises and security firms in 2014 was the increasing proliferation of inexpensive and easily deployed hacking tools. Low prices and widespread availability “allow any attacker to go out and purchase fairly sophisticated exploit kits for reasonable amounts of money,” Gainey explained, adding, “they can now not just buy a kit, but have access to online tech support.” There’s an entire industry in place to develop these kits and then help buyers tweak and implement them according to their particular needs. A far greater number of people are now able to launch attacks that would have been considered highly advanced just two or three years ago.

Mobile security issues wax, wane

As with previous years, the threat perimeter continued to extend out to mobile devices in 2014. D’Abreo sees mobility not only continuing to be a huge challenge for enterprises, but said, “I definitely think mobile is going to be some of the biggest threats going forward.” Open distribution systems sometimes allow malicious applications to land on an unsuspecting user’s phone. Data that should be protected with passwords and other tools often isn’t, rendering even the simplest of security measures ineffective. “I haven’t seen a lot of good solutions in the mobile space,” D’Abreo said. And while mobile device management and other technologies are available, he said they “help manage data on the phone and enable remote wipe, but there are still inherent challenges in mobile.”

Despite all the worries around a widening threat base and attacks that were very large in scope, though, some security concerns actually eased in 2014. For example, Gainey said his team has seen a reduction in Android-based malware. However, mobility continues to play a role in where an enterprise’s security risks exist and how security teams go about addressing them. “What we’ve seen is a broad acknowledgement, even within the vendor community, that something has to change to protect these different endpoints,” Gainey said. Healthcare and manufacturing organizations in particular are concerned about the myriad mobile devices—not all of them corporate-owned—used to access, store and transmit highly sensitive data. Traditional tools, such as antivirus suites, haven’t been able to provide the security necessary, and Gainey said 2015 will likely bring new solutions to address this critical market.

Addressing cybersecurity challenges

Enterprises are taking steps to limit vulnerabilities and reduce their attack surfaces. For example, legacy firewall technologies may leave a company exposed to vectors that target applications. “Organizations now understand they have to be able to see fundamentally everything, regardless of what port that application might be communicating over or what protocol might be in use,” Gainey said. Another tactic that’s gaining in popularity is more aggressively eliminating things that could bring additional risk into the enterprise. “I don’t need 15 different applications that allow for file transfer,” Gainey explained. “Let’s only enable those that are truly critical to business and block everything else.”

Other changes in how security issues are tackled should be embraced more widely, according to Holden. Primary among his concerns is the industry’s heavy reliance on technology. “We want to buy something that makes a problem go away,” he explained. “Security is just never like that.” Most security concerns are simply too complex to address with technology alone. Instead, Holden encourages a different approach. “I think the focus, for both the enterprise and the security industry, must be more on people and the process side.” He points to the low number of organizations that have a mature incident response team as just one example. “That would be a good place to start,” he said. “It’s easier said than done, but that would be a very transformational thing.”